Data Privacy Addendum
Last Modified: 02/07/2024
This Data Privacy Addendum (“Addendum”) is entered into between Ethena, Inc. (“Ethena”) and your company (“Company”), each a “Party” and collectively the “Parties.” This Addendum amends and forms part of the Ethena Services Agreement, Master Services Agreement, or other comparable agreement entered into by the Parties (“Agreement”) and details the Parties’ obligations on the protection of Personal Data associated with Ethena’s Processing of Company’s Personal Data within the scope of the applicable Agreement.
Company and Ethena agree as follows:
- Definitions. For purposes of this Addendum:
- “Data Protection Laws” means all privacy and data protection laws and regulations anywhere in the world applicable to the Processing of Personal Data, including, where applicable, (i) Regulation 2016/679/EU (“GDPR”), including member state implementations thereof, (ii) the GDPR as incorporated into United Kingdom law by the Data Protection Act of 2018 (“UK GDPR”), and (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (as amended by the California Privacy Rights Act) and its implementing regulations (“CCPA”), each of the foregoing as amended.
- “Data Subject” means an identified or identifiable natural person or household about whom Personal Data relates.
- “Personal Data” means any data in Ethena’s possession or control relating to a Data Subject that Company or its Authorized Users upload or otherwise input into the Service and that is deemed “personal data,” or “personal information” (or any analogous variations of those terms), as defined by the Data Protection Laws.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Restricted Transfer” means a transfer of Personal Data that is subject to the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”) from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) (as applicable) to a country outside of the EEA, Switzerland or the UK (as applicable) which is not subject to an adequacy determination by the applicable data protection authority.
- “Security Incident” means any breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Standard Contractual Clauses” or “SCC” means:
- in respect of Personal Data of EEA Data Subjects, the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (the “EU Standard Contractual Clauses”);
- in respect of Personal Data of Swiss Data Subjects, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the EU Standard Contractual Clauses; and the SCCs shall also protect the data of legal persons until the entry into force of the revised FADP; and
- in respect of Personal Data of UK Data Subjects, EU Standard Contractual Clauses together with the International Data Transfer Addendum to the EU Standard Contractual Clauses Version B1.0, in force 21 March 2022 (the text of which is available at: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf) ( (the “UK Addendum”).
- “Subprocessor” means any processor engaged by Ethena to assist Ethena in Processing Personal Data in connection with Ethena’s provision of Services.
- Where applicable, the terms “controller,” “business,” “processor,” “service provider,” “consumer,” “sell,” “share,” “business purpose,” “commercial purpose,” and “supervisory authority” (or any equivalent terms) shall have the meaning ascribed to them under the relevant Data Protection Law.
- Role of the Parties and Nature of the Personal Data Processing and Protection.
- The Addendum applies to Ethena’s Processing of Personal Data. In this context, Ethena is a processor or service provider to Company, and Company is a controller or business.
- Ethena will Process Personal Data solely: (1) pursuant to Company’s documented instructions, which will include Processing as authorized or permitted under the Agreement, including this Addendum and to fulfill its obligations to Company under the Agreement, including this Addendum; and (2) as required to comply with Data Protection Laws, provided that Ethena will inform Company (unless prohibited by applicable law) of the applicable legal requirement. Ethena may Process Personal Data to generate non-personal data, such as aggregated, anonymized, or, where legally permitted, de-identified data and use such data for its legitimate business purposes.
- Each Party will comply with its obligations under Data Protection Laws. Ethena will promptly notify Company if it determines that it cannot meet its obligations under Data Protection Laws. Upon receiving written notice from Company that Ethena has Processed Personal Data without authorization, Ethena will take reasonable and appropriate steps to stop and remediate such Processing.
- Ethena will not:
- Retain, use, or disclose Personal Data outside of the direct business relationship between Ethena and Company unless permitted by Data Protection Laws;
- “Sell” or “Share” Personal Data, as such terms are defined in the CCPA; or
- Retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this Addendum or otherwise permitted by Data Protection Laws.
- Ethena will take reasonable steps to ensure that the persons it authorizes to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Ethena will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data against Security Incidents in accordance with requirements under Data Protection Laws.
- Assistance.
- Data Subject Requests. Upon written request of Company, Ethena will assist Company in the fulfillment of Company’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Protection Laws (such as rights to access or delete Personal Data) (each, a “Data Subject Request”). Ethena will, to the extent permitted by Data Protection Laws, notify Company without undue delay if Ethena receives a Data Subject Request that identifies Company as the Ethena customer to whom it pertains. To the extent Company, in its use of the Services, does not have the ability to address the Data Subject Request, Ethena will, on Company’s request and at Company’s expense, provide commercially reasonable assistance to Company in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Laws.
- Data Protection Impact Assessments. Ethena will, at Company’s expense, provide reasonable assistance to and cooperation with Company for Company’s performance of a data protection impact assessment of Processing where required by Data Protection Laws, taking into account the nature of Processing and the information available to Ethena.
- Supervisory Authorities. Ethena will, at Company’s expense, provide reasonable assistance to and cooperation with Company for Company’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation under Data Protection Laws to consult with a regulatory authority in relation to Ethena’s Processing of Personal Data.
- Security Assistance. Ethena will provide reasonable assistance to Company to enable Company to fulfill its compliance obligations under Data Protection Laws to secure Personal Data, taking into account the nature of Processing and the information available to Ethena, by providing the information and assistance described in Section 6 (Audits).
- Security Incident. In the event Ethena becomes aware of a Security Incident, Ethena will provide prompt notice to Company without undue delay (and no more than seventy-two (72) hours of becoming aware of the Security Incident). Ethena will take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident and assist Company in complying with any related notification obligations under Data Protection Laws. Ethena’s notice to Company of the Security Incident will include all elements required under Data Protection Law.
- Subprocessors.
- Company authorizes Ethena to use Ethena Subprocessors (including its affiliates) to Process Personal Data in accordance with the provisions within this Addendum and Data Protection Laws. A list of Ethena’s current Subprocessors can be found on Ethena’s website, at https://app.goethena.com/documents/EthenaSubprocessors.html, and Company hereby consents to Ethena’s use of such Subprocessors.
- Ethena will notify Company of any intended changes concerning the addition or replacement of its Subprocessors and provide Company with the opportunity to object to such change within ten (10) days of the notification sent by Ethena. Any objection to a proposed Subprocessor must be done in writing and must be based on a reasonable belief that such change will have a material impact on the protection of Personal Data. Ethena will have the right to cure the objection by, at Ethena’s election: (i) canceling its plans to use the Subprocessor with regard to the Company’s Personal Data or offering an alternative to provide the Service without such Subprocessor; (ii) taking the corrective steps requested by Company in its objection and proceeding to use the Subprocessor with regard to Company’s Personal Data; or (iii) providing Company the opportunity to agree to not use the particular aspect of the Service that would involve the use of such Subprocessor with regard to Company’s Personal Data. If Ethena notifies Company that none of the foregoing remedies are feasible and the Subprocessor change will apply, then, notwithstanding anything in the Agreement, Company may by providing written notice to Ethena within five (5) days of receipt of such notice from Ethena, immediately terminate the Agreement (including this Addendum), to the extent it relates to the Services which require the use of the proposed Subprocessor.
- Ethena will impose data protection obligations upon any Subprocessor that are no less protective of Personal Data than those included in this Addendum. Ethena is liable for its Subprocessors’ performance in connection with the Agreement to the same extent Ethena is liable for its own performance, including their breach of any Data Protection Law with respect to Personal Data, consistent with the limitations of liability set forth herein.
- Audits.
- Ethena will make available to Company such information in Ethena’s control and possession reasonably necessary to demonstrate compliance with the obligations under this Addendum and allow for and contribute to audits and inspections conducted by Company. Company will not exercise its audit rights more than once in any twelve (12) month calendar period. Any such audit will be tailored to what is reasonably necessary to verify Ethena’s compliance with this Addendum and during Ethena’s normal business hours. Company shall conduct its audit in a manner that will result in minimal disruption to Ethena’s business operations. For the avoidance of doubt, this provision does not grant Company any right to conduct an on-site audit of Ethena’s premises.
- Nothing herein will require Ethena to disclose or make available (i) any data of any other customer of Ethena; (ii) access to its systems; (iii) Ethena’s internal accounting or financial information; (iv) any trade secrets of Ethena; (v) any information or access that, in Ethena’s reasonable opinion, could (a) compromise the security of Ethena’s systems or premises; or (b) cause Ethena to breach its obligations under Data Protection Laws or applicable contracts; or (vi) any information sought for any reason other than the good faith fulfillment of Company’s obligations under Data Protection Laws to audit compliance under the Addendum.
- The audit may be carried out by a third party auditor appointed by the Parties. To the extent the Parties appoint a third party representative to conduct the audit, Company shall ensure that such third party representative is bound by obligations of confidentiality no less protective than those contained in this Addendum. All audits shall be conducted at Company’s reasonable expense.
- Company will provide written communication of any audit findings to Ethena, and the results of the audit will be the confidential information of Ethena.
- Return or Destruction of Personal Data. Upon termination or expiration of the Agreement, unless prohibited by law, Ethena shall within a commercially reasonable time period and without undue delay at the choice of Company: (i) return all Personal Data to Company and delete or anonymize existing copies or (ii) destroy and delete or anonymize all Company Personal Data. Notwithstanding the foregoing, Ethena may retain Personal Data to the extent required by applicable law or pursuant to its standard backup protocols. The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Customer’s written request.
- International Transfers of Personal Data. With respect to Restricted Transfers of Personal Data, the Parties agree that the Standard Contractual Clauses shall apply, form part of this Addendum, and take precedence over the rest of this Addendum to the extent of conflict, with the following modifications below:
- Transfers from the EEA or Switzerland. With respect to transfers of Company Personal Data out of the EEA or Switzerland, the EU Standard Contractual Clauses will apply and are incorporated into this Addendum by reference, provided that: (i) Module Two will apply and all other module options will not apply; (ii) in Clause 7 (Docking clause), the optional docking clause will apply; (iii) in Clause 9 (Use of sub-processors), Option 2 will apply and the time period for prior notice of Subprocessor change shall be set out in Section 5 of this Addendum; (iv) in Clause 11 (Redress), the optional language will not apply; (v) in Clauses 17 (Governing Law) and 18 (Choice of Forum and Jurisdiction), the Parties choose the law of Ireland and the courts of Ireland; (vi) Annex I is completed as set out in Annex 1 hereto; (vii) Annex II is completed as set out in Annex 2 hereto; and (viii) Annex III is completed as set out in Section 5 of this Addendum.
- Transfers from the UK. With respect to transfers of Company Personal Data out of the UK, the UK Addendum will apply and is incorporated into this Addendum by reference, provided that (i) details of the Parties in Table 1 of the UK Addendum shall be as set out in Annex 1 hereto, with Company as the exporter and Ethena as the importer (with no requirement for signature); (ii) for the purposes of Table 2, the UK Addendum shall be appended to the EU Standard Contractual Clauses as modified in Section 8.a. above and including the Annexes; (iii) the appendix information listed in Table 3 is set out in this Addendum; and (iv) either Party may end the UK Addendum as set out in Section 19 of the UK Addendum.
- Each party’s signature to the Agreement incorporating this Addendum shall be considered a signature to the Standard Contractual Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Standard Contractual Clauses as separate documents. In case of conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses will prevail.
- Indemnity and Limitations of Liability. Ethena shall indemnify, defend and hold harmless Company against any and all claims, damages, expenses and costs directly attributable to any failure by Ethena to comply with the obligations under this Addendum. As this Addendum is part of the Agreement, the total aggregate liability of Ethena, including any liability for its Subprocessors’ violations, under or in connection with this Addendum will be subject to, and count toward, the agreed limits on liability under the Agreement. Parties shall also follow the indemnification procedures set forth in the Agreement.
- Conflict. In the event of any conflict or inconsistency between the Agreement and this Addendum, this Addendum shall prevail.
- Governing Law. The Agreement’s choice of law and venue provision apply to this Addendum unless otherwise required by law.
This Addendum is executed by duly authorized representatives of each Party.
Annex 1
Details of Processing Activities
A. LIST OF PARTIES
Data exporter(s):
Name: Company, as set out in the Agreement.
Address: Company address, as set out in the Agreement.
Contact person’s name, position and contact details: Company’s contact details, as set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Use of the Service pursuant to the Agreement.
Signature and date: This Annex 1 shall be deemed executed upon execution of the Agreement.
Role: Controller
Data importer(s):
Name: Ethena, Inc.
Address: 33 Nassau Ave., 2nd Floor, Brooklyn, NY 11222
Contact person’s name, position and contact details: As set out in the Agreement.
Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Services pursuant to the Agreement, including as described under the Addendum, its appendices, and any applicable Order Form and/or Statement of Work.
Signature and date: This Annex 1 shall be deemed executed upon execution of the Agreement.
Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Depending on the Services in scope of the Agreement, the categories of data subjects whose Personal Data is processed include employees, officers, contractors, consultants, temporary workers, and other authorized users of the Services.
Categories of personal data transferred
Depending on the Services in scope of the Agreement, the categories of Personal Data processed include name; email address; country and state of work; manager status; information, data, and responses submitted by the users of the Service; electronic identification data (notably IP addresses and user agent data); manager, department, office location, and additional custom fields selected by Company, incident reports or other feedback; as well as any other Personal Data that may be processed pursuant to the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None anticipated, unless provided by an employee or other authorized user of the Services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous, for the length of the Agreement between the parties.
Nature of the processing
The nature of the processing is the Services as described in the Agreement.
Purpose(s) of the data transfer and further processing
For Ethena to provide the Services, as set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal data shall be retained for the length of time necessary to provide the Services under the Agreement, or as otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Ethena’s Subprocessors will process personal data to assist Ethena in providing the Services pursuant to the Agreement, for as long as needed for Ethena to provide the Services.
C. COMPETENT SUPERVISORY AUTHORITY
In respect of the Standard Contractual Clauses, means the competent supervisory authority determined in accordance with Clause 13 of the SCCs. In respect of the UK Addendum, means the UK Information Commissioner's Office.
Annex 2
Technical and Organizational Measures Designed to Ensure the Security of Personal Data
This Annex 2 describes the technical and organizational measures implemented by Ethena which are designed to apply to Personal Data an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Minimum Technical and Organization Measures
A. Ethena has implemented and will maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Annex 2.
B. More specifically, Ethena’s security program includes, at a minimum:
Certifications
- Ethena maintains a yearly SOC 2 Type 2 examination in the trust service categories of security and availability.
- A copy of Ethena’s SOC 2 Type 2 report is available upon request (subject to confidentiality obligations).
Data Hosting
- Personal Data is hosted and stored in Amazon Web Services, at centers located in the United States.
- No Personal Data transmitted outside the United States and Canada except to the extent the Services are used by Company’s authorized users in other geographies; in such case, processing will be done in accordance with Data Protection Laws and this Addendum.
Data protection
- Accessing all critical systems requires multi-factor authentication, and Ethena enforces multi-factor authentication on all of its company accounts where available.
- TLS used for data transmission (SSL v3 not used for security reasons).
- All Personal Data encrypted at rest at the storage layer using the industry standard AES-256 encryption algorithm.
- All servers (application and database) are regularly updated to help integrate the recency of security patches.
- Sophos InterceptX Endpoint Protection is deployed on all corporate devices.
- Full disk encryption is enabled on all corporate devices.
Application access
- Single Sign-On (SSO) available. Standard product includes single sign-on via Google account for administrators, and Ethena training is delivered via magic links.
Application Security
- Ethena is a multi-tenant cloud platform. In addition to care taken by Ethena’s engineering team, Ethena’s penetration testers stress test to ensure no cross company access is possible as a part of their yearly white box penetration testing.
- Only HTTPS endpoints are exposed to the public internet.
- Ethena prioritizes regular updates to the latest version of core frameworks.
- All changes made to the application are tied to change requests and require review by another engineer.
- Ethena runs a Continuous Integration/Continuous Delivery pipeline powered by Github and AWS.
- Ethena’s infrastructure is powered by version-controlled Terraform, requiring the same review practices as all other code at Ethena.
Personnel Management
- All employees with database access are background checked. As permitted under applicable law, background checks cover criminal history, credential/education verification, employment history verification, and professional reference checks.
- Security training conducted upon onboarding and annually thereafter. Training covers, at a minimum:
- Relevant privacy laws
- Phishing (see anti-phishing training and testing policy for more info)
- Safe password creation and management (corporate password management solution required)
- Two-factor authentication (required where available; enforced where possible to enforce)
Third-party audits
- Independent penetration tests are performed after every major release, and they cover both internally and externally facing systems (application and infrastructure).
- Vulnerability scanning is a part of every penetration test.
- An attestation letter from our most recent penetration test performed by Mandiant can be made available upon request.
Vendor/subcontractor management
- All vendors/tools that have access to Personal Data or are critical to Ethena’s function are reviewed for their security practices (including audits from credible third parties) ahead of their use.
- Any time a substantial update to privacy or security policies is announced, that update is reviewed.
- Only work with Subprocessors who are SOC 2 compliant.